Could not convert taint to access path

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker

GNU Lesser General Public License v2.1

1.06k stars 298 forks source link

Could not convert taint to access path #144

Open salmanee opened 5 years ago

salmanee commented 5 years ago

While running FlowDroid on a some apks I run into the following run time exception:

java.lang.RuntimeException: Could not convert taint to access path: Field [<android.os.Message: int what>] true at $r3 = staticinvoke <android.os.Message: android.os.Message obtain(android.os.Handler,int)>($r2, $i0)

I initially suspected that it might be an invalid seed method but after checking the isValidSeed() function it seems like it already excludes all android.* APIs..

Any one run into this issue? or have an idea how to resolve it?

Thanks much,

StevenArzt commented 5 years ago

That seems to be a problem with StubDroid while applying data flow summaries. Can you please provide the APK file and your precise FlowDroid configuration?

salmanee commented 5 years ago

Sure @StevenArzt .. I used the following apk (Netflix app): here with the following source and sink config: here and run FlowDroid with the following command options: java -Xmx32g -jar soot-infoflow-cmd/target/soot-infoflow-cmd-jar-with-dependencies.jar -a tested-apks/${apk}.apk -p android-platforms/ -s SourcesAndSinks_Config/${apk}.txt -o sootOutput/${apk}.xml

StevenArzt commented 5 years ago

I can't reproduce the issue with the newest version of FlowDroid. Did you use the "develop" branch, or one of the release versions? Can you check again with the code from the "develop" branch? Maybe the problem has been fixed in the meantime without anyone noticing.

salmanee commented 5 years ago

@StevenArzt I forgot to point out that I only get this exception when I run Flowdroid with -cg CHA .. running it with the default spark algorithm works fine

I've also tried running the code from the develop branch .. it still throw the same exception

StevenArzt commented 5 years ago

The problem seems to occur because of imprecisions in the CHA callgraph. I have committed a fix, but I am not totally happy wit it. It's a kludge to cope with the inherent shortcomings of CHA. Although the data flow analysis should now work with CHA, I'd suggest that you use the normal SPARK algorithm.

salmanee commented 5 years ago

Thank you @StevenArzt I want to point out that i ran into the same exception while running this also using spark.. using the following apk: and the following source and sinks file: running FlowDroid using the command: java -Xmx8g -jar soot-infoflow-cmd/target/soot-infoflow-cmd-jar-with-dependencies.jar -a tested-apks/${apk}.apk -p android-platforms/ -s SourcesAndSinks_SPARK/${apk}.txt -o sootOutput/${apk}.xml

This exception appears to happen mainly with android.os.Message: Could not convert taint to access path: Field [<android.os.Message: java.lang.Object obj>] true at $r3 = staticinvoke <android.os.Message: android.os.Message obtain(android.os.Handler,int,java.lang.Object)>(null, 5, $r4)

I also noticed that the termination state in the xml always reports "Success" even in the case of this exception..